DEBIAN-CVE-2026-23209

In the Linux kernel, the following vulnerability has been resolved:  macvlan: fix error recovery in macvlancommonnewlink()  valis provided a nice repro to crash the kernel:  ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2  ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20  ping -c1 -I p1 1.2.3.4  He also gave a very detailed analysis:  <quote valis>  The issue is triggered when a new macvlan link is created  with MACVLANMODESOURCE mode and MACVLANMACADDRADD (or MACVLANMACADDRSET) parameter, lower device already has a macvlan port and registernetdevice() called from macvlancommonnewlink() fails (e.g. because of the invalid link name).  In this case macvlanhashaddsource is called from macvlanchangesources() / macvlancommonnewlink():  This adds a reference to vlan to the port's vlansourcehash using macvlansourceentry.  vlan is a pointer to the priv data of the link that is being created.  When registernetdevice() fails, the error is returned from macvlannewlink() to rtnlnewlinkcreate():          if (ops->newlink)                 err = ops->newlink(dev, &params, extack);         else                 err = registernetdevice(dev);         if (err < 0) {                 freenetdev(dev);                 goto out;         }  and freenetdev() is called, causing a kvfree() on the struct netdevice that is still referenced in the source entry attached to the lower device's macvlan port.  Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlanforwardsource().  </quote valis>  With all that, my fix is to make sure we call macvlanflushsources() regardless of @create value whenever "goto destroymacvlanport;" path is taken.  Many thanks to valis for following up on this issue.